Understanding DMARC Report and Manage Your DMARC Aggregate & Forensic Reports
DMARC reports are organized DMARC authentication and sender alignment data that are typically delivered to a designated email address or accessible through a web-based portal. Once you have the reports, you can analyze them to gain insights into the DMARC authentication status and handling of email messages sent from your domain.
In this Blog Post, I will show you some online websites with useful tools to help you manage your DMARC reports.
Check Your Domain DMARC/SPF/DKIM Status
Configure DMARC
1 Proofpoint has a free interactive tool to create your DMARC record here.
2 https://mxtoolbox.com/dmarc/details/dmarc-tags
3 DMARC Report (https://app.dmarcreport.com/) (jy @ 51sec): Manage and monitor your DMARC configuration and reports
4 https://app.easydmarc.com/
5 https://dmarcian.com/domain-checker/
-
Policy set to none
Console_dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=none"
-
Policy set to quarantine
Console_dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=quarantine"
-
Policy set to reject
Console_dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=reject"
Once you've formed your record, you need to update the record at your domain registrar.
DMARC configuration
- TXT _dmarc v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:[email protected]
Understand DMARC Report
You might received a DMARC Aggregate Report from different email provider, such as Microsoft, Google, as show below.
The report should contain information about your ISP, source IP, sender address, server and authentication status.
In the raw file for your reports, you can find information about:
- Your ISP, the name of your email service provider
<?xml version=”1.0″ encoding=”UTF-8″ ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>[email protected]</email>
<extra_contact_info>http://google.com/dmarc/support</extra_contact_info>
- The report ID number
<report_id>8293631894893125362</report_id>
- The beginning and ending date range (in seconds)
<date_range>
<begin>1234573120</begin>
<end>1234453590</end>
</date_range>
Note: You can check the time from https://www.epochconverter.com/
- Your DMARC record specifications as published in your domain’s DNS
<policy_published>
<domain>yourdomain.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
- IP address of the sending source
<source_ip>302.0.214.308</source_ip>
- An overview of your authentication results (SPF and DKIM pass/fail result summary)
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
- From: domain
<header_from>yourdomain.com</header_from>
- DKIM authentication results
<dkim>
<domain>yourdomain.com</domain>
<result>fail</result>
<human_result></human_result>
</dkim>
- SPF authentication results
<spf>
<domain>yourdomain.com</domain>
<result>pass</result>
</spf>
<?xml version="1.0"?>
<feedback xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<version>1.0</version>
<report_metadata>
<org_name>Outlook.com</org_name>
<email>[email protected]</email>
<report_id>ab0f1e00f37c4e5699ad3918b6694d18</report_id>
<date_range>
<begin>1698969600</begin>
<end>1699056000</end>
</date_range>
</report_metadata>
<policy_published>
<domain>51sec.org</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>quarantine</p>
<sp>quarantine</sp>
<pct>100</pct>
<fo>1</fo>
</policy_published>
<record>
<row>
<source_ip>38.121.105.168</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>quarantine</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<envelope_to>hotmail.com</envelope_to>
<envelope_from>51sec.org</envelope_from>
<header_from>51sec.org</header_from>
</identifiers>
<auth_results>
<spf>
<domain>51sec.org</domain>
<scope>mfrom</scope>
<result>fail</result>
</spf>
</auth_results>
</record>
</feedback>
You can check the ip to see if it is making sense to you where you might have sent out an email to hotmail.com. If you have no idea about this ip and sent-to-domain hotmail.com, most likely, someone is trying to spoof your domain to send emails to hotmail.com.
IP | PTR | Country | Volume | Date | Applied policy | Override reasons | reporter | SPF Auth | DKIM Auth | SPF Alignment | DKIM Alignment | SPF Verdict | DKIM Verdict |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
38.121.105.168 | 🇺🇸 | 1 | Nov 02, 2023 | quarantine | Outlook.com | FAIL - 51sec.org | Not Aligned | Not Aligned | Failed | Failed |
References
- https://powerdmarc.com/how-to-read-dmarc-reports/
共有 0 条评论